pam_exec.so with setuid root binary
Christoph Pleger
christoph.pleger at cs.uni-dortmund.de
Tue Nov 13 15:21:17 UTC 2018
Hello,
I am using pam_exec.so with a setuid and setgid root binary because my
binary calls other programs (like lvcreate, mkfs on the new logical
volume and chown on the mountpoint of mounted logical volume) that need
root access to be successful and because the authenticating service
itself does not run as root.
But I was not successful so far to implement the desired features,
because at least lvcreate needs the real uid (not only the effective
uid) be 0 to perform its task and because, though my binary changes the
real ids successfully with setuid() and setgid() when called from the
command line, this does not work with pam_exec, so that the real ids
stay to be those from the authenticating service. In both cases, at
program start, that is before setuid() and setgid(), the real ids
What can I do to solve that? It surprises me that one case does work and
the other does not, although at program start, that is before setuid()
and setgid(), the real ids are those of the authenticating service and
effective and saved ids are 0 in the two cases.
Regards
Christoph
More information about the Pam-list
mailing list